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Privacy Notification 


In connection with receiving reports of alleged misconduct in the Compliance Hotline containing information 
about you, H. Lundbeck A/S (“Lundbeck” or “we”) may (as the data controller) collect, process, use and 
disclose personal data about you as described in more detail in this Privacy Notification. 


Lundbeck will process your personal data according to applicable legislation, including the EU General Data 
Protection Regulation (“GDPR”). 


What categories of personal data are we processing and for what purposes? 
We may collect and process the following types of personal data about you: 
e Your contact information (e.g. name, address, e-mail address, title etc.) 
e Potential sensitive personal data that might be included in the reporting (e.g. ethnic origin, trade 
union membership etc.) 
e Potential allegations of misconduct regarding serious legal, financial or reputational risks that might 
be included in the reporting 


We process your personal data for the purpose of investigating potential misconduct. 


What is the legal basis for our processing of your personal data? 
The legal basis for our collection and processing of your personal data set out above is: 

e GDPR art. 6(1)(f) (“the balancing of interest test”). It is Lundbeck’s assessment that the processing 
of your personal data is necessary for Lundbeck to be able to investigate the potential misconduct; 
and/or 

e GDPR art 6(1)(c). A local legal obligation to investigate potential misconduct; and/or 

e GDPR art 9(2)(b). The processing is necessary for the purposes of carrying out the obligations and 
exercising specific rights regarding employment and social security and social protection law; 
and/or 

e GDPR art article 9(2)(f). The processing is necessary for the establishment, exercise or defence of 
legal claims; and/or 

e The Danish Data Protection Act art 8(3) cf. GDPR art 10. It is Lundbeck’s assessment that the 
processing of your personal data is necessary for Lundbeck to be able to investigate the potential 
misconduct; and/or 

e The Danish Data Protection Act art 11 regarding processing of social security numbers 


How did we obtain your personal data? 
The personal data Lundbeck is processing about you is collected from 
e Employees of Lundbeck; 
e Management; 
e Board members; 
e Suppliers; 
e Contracting parties; 
e Accountants; 
e = Lawyers; 
e Auditors; or 
e Other third parties who uses/can use the Compliance Hotline 
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Will we disclose your personal data to third parties? 
For the purpose of investigating and filing potential misconduct, your personal data may be disclosed and 
shared with the following recipients: 


e Relevant local authorities, including the police 
e External attorneys or auditors 
e Lundbeck Group Companies 


The legal basis for the disclosure is: 

e GDPR art. 6(1)(f) (“the balancing of interest test”). It is Lundbeck’s assessment that the disclosure 
of your personal data is necessary for Lundbeck to be able to investigate the potential misconduct; 
and/or 

e GDPR art 6(1)(c). A local legal obligation to file potential misconduct or the like to relevant local 
authorities; and/or 

e GDPR art 9(2)(f). The processing is necessary for the establishment, exercise or defence of legal 
claims; and/or 

e Danish Data Protection Act art 8(4) cf. GDPR art 10. It is Lundbeck’s assessment that the disclosure 
of your personal data is necessary for Lundbeck to be able to investigate the potential misconduct. 


Will we disclose your personal data to data processors? 
We transfer your personal data to our IT service provider and consultants, which will process your personal 
data on our behalf and on our instructions. 


Will we transfer your personal data to recipients in countries outside the EU/EEA? 
We may transfer your personal data to the following recipients located in countries outside the EU/EEA: 


e Relevant local authorities, including the police 
o Legal basis: GDPR Art 49(1) (e) 
e External attorney or auditors 
o Legal basis: GDPR Art 49(1)(e) or the European Commissions approved “Standard 
Contractual Clauses” for the transfer to countries, which have not been approved as 
providing an adequate level of protection. The “Standard Contractual Clauses” are 
available in several languages. You can find them here: http://eur-lex.europa.eu/legal- 
content/EN/TXT/?gid=1401799946706&uri=CELEX:32010D0087. ] 
e Lundbeck Group companies 
o Legal basis: Lundbeck Binding Corporate Rules. 








We transfer your personal data for the purpose of investigating and filing potential misconduct. 


How long will we store your personal data? 
We store your personal data for as long as necessary to fulfil the purposes above, however, for no longer 
than as set out below. 


e  Substantiated Cases 
Cases that are found admissible and substantiated will be retained for a minimum of five years 
or longer, if required by the legislation of the country in which the investigation is conducted. 
e Unsubstantiated Cases 
Any personal data relating to cases that were found inadmissible during the initial screening 
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process or investigated, but not substantiated, will be deleted. Exceptions to this rule are cases that 
will need to be retained for subsequent external inspections by government authorities. 


Your rights 

Subject to certain exceptions and restrictions set out in applicable legislation, you enjoy the right to request 
access to your personal data, to have your personal data rectified, deleted, or processing thereof restricted, 
and to data portability. 


You may also have the right to object to the processing, including the right to object to automated individual 








decision making and profiling or direct marketing, if this takes place. 


You also have the right to lodge a complaint with the competent local supervisory authority, such as the 
Danish Data Protection Agency (Datatilsynet). 


Contact details of Lundbeck and Lundbeck’s Data Protection Officer 

Should you have any questions in regards to the protection of your personal data or if you wish to exercise 
your legal rights, please contact Lundbeck or Lundbeck’s Data Protection Officer by using the below contact 
details: 


H. Lundbeck A/S 
Ottiliavej 9 

2500 Valby 

Phone: (+45) 4371 4270 


Lundbeck’s Data Protection Officer: 
E-mail: Dataprivacy @ Lundbeck.com 





